Internal Audit Indonesia's

Juli 14, 2010

Control Self-Assessment: A Sarbanes-Oxley and Enterprise Risk Management Tool

Filed under: Artikel seputar Internal Audit — internalauditindonesia @ 12:00 am

As businesses grapple with how best to comply with new regulations such as Section 404 of Sarbanes-Oxley (SOA), the use of control self-assessment techniques might deserve a fresh look at many companies.

Control self-assessment (CSA) is a process that allows key stakeholders in a company to look at the risks they face, examine the controls in place to deal with those risks and evaluate or “assess” their adequacy. CSA is a flexible discipline of customizable techniques for compiling key organizational information for decision-making. This attribute makes control self assessment techniques widely applicable to and valuable for enterprise initiatives like Section 404 compliance, enterprise-wide risk management programs, and internal control initiatives.

Key role for Sarbanes compliance
A self-assessment process can be employed by organizations at various stages of an SOA project ranging from initial scope definition to development of the testing strategy. Additionally, self-assessment may facilitate understanding of:

  • Which processes and related internal controls drive financial reporting?
  • How are financial statement assertions, such as the COSO Integrated Internal Control Framework, incorporated in the control structure?
  • What approach will assist management to develop an aggregate view of risk and control attributes?

Answers to these complex questions can be developed through a collaborative self-assessment process that will facilitate the collection of data from the appropriate personnel. An organized program accompanied by a tool for data storage and analysis will greatly enhance these efforts.

CSA can play three major roles in compliance efforts:

  • Facilitate sessions with key personnel, process owners, and other related personnel to understand processes and control points
  • Utilize survey technology to collect important information about risks, processes, and related controls
  • Perform entity level assessments of the “tone at the top” for Section 302 Certifications

One advantage of using CSA is that it may help save time. A recent survey of 321 companies by Financial Executives International, an association of finance executives, found that companies with revenues in excess of $5 billion plan to spend $4.7 million, on average, implementing SOA 404 compliance this year.
Another benefit of control self-assessment is that it gets both process owners and management involved in reviewing controls. Section 404 “is all about management owning controls, accountability has to be built in,” notes Fred Umbach, a Protiviti managing director in New York.

Profiles of risk
Internal auditors perpetually evaluate risk throughout an organization to determine the priorities that will be addressed within the annual risk-based audit plan. An ideal process includes significant participation by executives and line managers in a collaborative effort.

Using control self-assessment can help an internal audit department craft an effective auditing plan that directs department efforts to the areas of highest risk within a company. In that way, control self-assessment can help an audit department more effectively allocate budget dollars at a time of increasing demand for those dollars to comply with new regulations.

Many organizations are looking to build in enterprise wide risk management and continuous risk assessment capability. COSO’s ERM framework provides a basis for a continuous risk management program as part of ongoing operations rather than a one-time annual assessment. Collecting information from personnel knowledgeable about changes in organizational risk attributes is a significant challenge to an effective ERM program. Executive management is often not afforded the luxury of both timely and accurate information to execute decisions.

A CSA tool can help bridge this gap. “From a technology perspective, you should seek a tool that meets your diverse needs,” says Michael Mask, an associate director with Protiviti in Denver. Incorporating a web-based technology into your CSA program offers the following benefits:

  • Consolidation of numerous “ad-hoc” sessions, surveys and exercises into a single program
  • Increased global reach via the “accessibility” of technology
  • Automation of time intensive tasks like data gathering
  • Efficiencies achieved through a ‘common language’, process and tool
  • Broader dissemination of knowledge, best practices, and useful resources
  • Integration of a control and risk mindset into daily processes
  • Help automate the creation of reports that are concise, understandable and actionable by Senior Management

Protiviti’s Mask has helped a number of organizations implement a Web-based CSA tool from Protiviti called The Self Assessor, which he describes as “a stellar assessment engine that enables rigorous and robust assessments.” TSA provides management with an ability to design an assessment that incorporates concepts such as action planning, test planning as well as review and signoff. The most effective technologies will be flexible and provide real-time transparency into your assessments. Additionally, a tool should illustrate “dashboards” and produce quality reports in a format that converts data into information. “Ultimately, your CSA tool of choice should be configurable, user-friendly and serve as a “decision-support” system for management,” notes Mask.

An internal audit case study: The more you learn, the better
Carmen Lapointe Young, IIA chair in 1994-’95, was a pioneer of control self-assessment. Now chair of the IIA’s control self-assessment certification, she notes that some may question the value of getting key stakeholders in a company to assess themselves. But the response of internal audit to that should be, “the more you can learn from clients, the better off we all are,” she says.

While serving as corporate auditor for Canada Post (the Canadian government-owned mail delivery company), Young instituted an annual control self-assessment program.
She identified four business processes and 11 enabling processes supporting those business functions.

Her evaluation began by looking at the company’s overall business objectives and then applying those to a given business process. Key personnel would be invited to a process workshop. Each would receive a pre-meeting packet of information, asking them to evaluate risks and controls and to vote on control effectiveness.

Some of her annual workshops included more than 50 people for a given process with about 400 people across the company being involved in one of the 15 workshops held.

Following those, a corporate-level workshop would be held looking at the company’s top five risks, its control framework, the likely impact of those risks on its ability to achieve its annual business objectives and the likelihood of achieving various objectives.

“Internal audit is the process owner” for control self-assessment, Young explains. “It’s my assessment in the end, but it’s now much more credible. Control self-assessment becomes a learning experience to the people in the workshop.”

One benefit of bringing together process stakeholders from different departments is to discover discrepancies in how a given department rates its controls vs. how internal clients see them, notes Young, who recently became vice president, internal audit and evaluation, for Export Development Canada in Ottawa.

Marc Dominus, a managing director with Protiviti in Chicago, agrees: “It (CSA) really has to do with the people responsible for the individual processes assessing the adequacy of controls. It frequently raises the awareness of everyone involved in the process. You frequently get unexpected outcomes. People begin to identify opportunities for synergy or sharing that often would go unnoticed otherwise.”

For example, using a CSA web-based tool, internal audit could administer quarterly controls surveys to process owners or risk management teams asking them to identify any changes that have taken place in their departments. Understanding the changing risk attributes that may have impacted either the design or the operational effectiveness of the controls over that process can be critical to mitigating risks. Internal audit then analyzes the survey results to determine whether additional investigation or reviews are warranted.

The same tool can be leveraged by multiple risk management initiatives and for various other information gathering or monitoring purposes.

A centralized control focus
At Rexam, a UK-based multinational that manufacturers beverage cans, Ron Lottman, chief financial officer and a vice president, sees control self-assessment as a way to achieve a more centralized control focus over the company’s 15 can plants around the world. He’s planning control self-assessment workshops in March to look at controls in such areas as purchasing, inventory and receivables.

While Rexam and Canada Post use workshops, many companies begin control self- assessment with questionnaires to key stakeholders, notes Protiviti’s Umbach. The first year of collecting data via such forms can create a baseline of knowledge about a company that can be built on in future CSA cycles. “The first time through, you’ve got to roll up your sleeves,” he says. “From the second year on, self-assessment becomes tremendously powerful.”

Companies searching for guidance to help them develop control self-assessment programs can turn to the IIA which maintains a control self-assessment center with 823 active members, notes Young. The IIA also offers a certification in CSA, which helps auditors demonstrate an understanding of key knowledge points about CSA. The IIA has certified 992 people since the CSA certification program began in 2000. Certification in CSA can count toward the 4th part of the Certified Internal Auditor exam.


Risk Assessment Process – Facilitation Tips

Filed under: Artikel seputar Internal Audit — internalauditindonesia @ 12:00 am
This guide provides tips and tricks to be used when facilitating a risk assessment workshop. These tips are organized to guide you through the high-level phases of a risk assessment discussion and provide insight into the facilitator’s role for this process.

I. Preparation & Introduction of Risk

  • Invite people to sit at the front of the room (rather than letting them sit at the back).
  • Keep the time schedule in mind and avoid taking too much time for one item.
  • Make sure you take a short break periodically to revitalize the group.
  • Avoid judging participant comments.
  • Manage expectations by directly addressing the expectation(s) that cannot be met.
  • When presenting the concepts of risk management, take your time. It is probably the first time that most participants are hearing about the concepts.
  • When presenting the risk assessment process, spend a few minutes to give people an overview of the whole process before starting with Step 1.

II. Identification of Risk

  • To avoid getting a long list of risks from participants, ask everyone to state one risk. After one round, ask if there are additional key risks concerning the objectives.
  • Be as specific as possible when defining the risk. For example, describe a risk as “Loss of top two key suppliers, Company ABC & XYZ” rather than “Loss of key suppliers.”
  • Avoid documenting current issues since these are the things they should be managing. Ask “Is this an issue?” If so explain that, “an issue is a certainty and a risk is an uncertainty. So what is the risk (uncertainty)?”
  • Ensure that there is a verb included in the risk definition. For example, state that “Employee turnover increases beyond 15%” rather than “The risk of employee turnover.”
  • To speed up the risk definition process, put a temporary definition on screen first and then work with participants to fine tune it.
  • Ask participants how they would formulate a risk definition instead of trying to formulate it yourself.
  • When summarizing, use their words rather than your words. This will increase the feeling that it is an assessment of their risks.
  • To regain focus after a long discussion, summarize the discussions (or ask someone to do that for you) and move on to the next topic.
  • Ensure that the participants are focused on the facilitator by agreeing upfront that the assistant waits for the facilitator to verbally summarize the definition before documenting the risk definition.
  • To gain clarity from participants on risk definitions, ask for feedback. For example, “Is this definition clear for everyone?”
  • Avoid conversations that entail judging the scale of the risk before voting (discussion should concern the definition).
  • When identifying risks, ensure internal risks are also addressed. People can sometimes focus too much on the external risks during the risk assessment process.
  • When explaining risk definitions, make sure people do not give opinions on how they would rank the risk. The voting process comes later in the session.

III. Prioritisation of Risk

  • When there is no consensus on the priority of a risk, ask participants, “Would someone like to say why you might vote high/low on this risk?” Summarize the high and low arguments and ask if people would like to re-vote.
  • Only re-vote when participants say they want to re-vote on the risk significance. Ask participants, “Based on the arguments you just heard, who feels they need to change their vote?”
  • As a facilitator, avoid being drawn into the discussion content by reflecting any content questions back to the group. Focus on the process of the risk assessment and not interjecting your opinion into the process.
  • Keep up the tempo during the voting process by summarizing and managing long discussions.
  • When voting on risk impact, keep repeating “If this risk has happened, what is the impact?”

IV. Risk Sourcing & Action Planning

  • Ensure that a risk owner is assigned prior to starting the sourcing exercise. This helps to ensure that there is buy-in for the risk actions.
  • Avoid spending time on unimportant causes/consequences by performing a quick brainstorm to find the main causes. Cluster the first level of causes, where applicable. Then ask the group which are the most important causes and consequences, of those identified. Only then, drill down the chosen causes/consequences.
  • To get the right level of detail, a rule of thumb is to have three layers of causes for the most important (main) causes. Do this by asking “why” three times.
  • Ask for suggestions in formulation instead of making suggestions in your own words.
  • Type the participants’ suggestions into the risk assessment program as quickly as possible and fine tune it after you have something workable on screen.
  • Wait for the assistant to finish typing before moving onto the next cause/consequence.
  • Formulate the cause/consequence as concisely as possible, bearing in mind that all discussions documented should be understandable after a few months for other people to read.
  • Ensure that there is an adjective/verb included in each formulated cause or consequence. For example, you would document that “customer awareness increases” rather than “customer awareness.”
  • For external risks, focus on the consequences; for internal risks, focus on the causes.
  • Add one action per root cause.
  • Ensure that you only list the actions which are new or actions which need to be reviewed, thus avoiding generating a list of actions already being taken.
  • Add the due date and, if applicable, an action owner to create extra buy-in and a need for urgency.
  • Emphasize that risk action planning is part of future, normal management practice.

V. Content of Risk

  • Point out the consequences of important items in order to create maximum awareness of their relevance to participants’ daily work. If possible, mention specific actions to be taken by people.
  • Make sure that the general point of the risk is understood before getting into the details of a specific problem or question.
  • Ask for feedback such as “Is this point clear to everyone?” If you have doubts that the point is understood, ask someone to summarize it or give a practical example.
  • Ensure you only go into the items/actions that are new or need to be reviewed.

VI. Keeping the Process Going

  • Keep up the tempo of the training session by summarizing and managing long discussions.
  • Keep the time schedule in mind and avoid taking too much time for one item.
  • To regain focus after a long discussion, summarize the discussion (or ask someone to do that for you).

VII. Relevance & Importance of Risk

  • If participants are not convinced of the importance of a specific topic, take a moment to discuss the possible negative business impact of not adhering to the rules (or the benefits of adhering to them).
  • Emphasize that the new procedures are part of future normal working practice.
  • When discussing an especially important item, point out that people may want to make a note of it.

Enterprise Risk Management Interview Questionnaire

Filed under: Artikel seputar Internal Audit — internalauditindonesia @ 12:00 am


The ultimate goal of Enterprise Risk Management (ERM) is to evaluate total returns relative to total risks, leading to more informed business decisions. This questionnaire can be used when assessing an organization’s enterprise risk management strategy. It focuses on the internal environment, objective setting, event identification, risk assessment, risk response, control activities, and information and communication.

I. Internal Environment

1. What is the overall risk appetite of the organization?

2. How committed is the Board of Directors (BOD) to establishing a risk management philosophy?

3. Describe the overall integrity and ethical values and the commitment to competence of the organization?

4. Is the assignment of authority and responsibility over risks well managed? Who manages this process?

5. What is the organizational structure of the company and your department?

6. What HR standards related to risk management are currently in place?

II. Objective Setting

7. How well are strategic and related objectives defined?

8. How is the achievement of these objectives monitored?

9. What activities are on your risk management goal sheet for this year?

10. What does the company need to do well over the next year in order to succeed and reach its goals? What factors do you consider to be critical to your company’s success in the next year?

11. What areas would you like to see moved to the next level of performance?

12. What could prevent you from achieving your goals (e.g. people, processes, funding, etc.)?

III. Event Identification

13. How do internal and external forces impact the risk profile?

14. What other event identification techniques are in place (e.g. self assessment, SOX, report review, trend reporting, fraud hotline, etc)?

15. How are deficiencies captured and reported?

16. How does the organization distinguish between risks and opportunities?

IV. Risk Assessment

17. What do you perceive to be the largest risks to the company, in terms of significance and likelihood? See Protiviti Risk Model for examples.

18. What do you perceive to be the biggest risks within your area of control? Please provide examples.

19. Thinking of other areas within the company, how well do you receive information from the shared services groups (e.g. IT, Finance, HR)?

20. What additional information would you like to have accessible in order to help you better perform your management responsibilities?

21. In your opinion, what areas or processes are most susceptible to fraud?

22. Are you aware of any instances of fraud within your company? What/how/who?

V. Risk Response

23. How are risks monitored and reported within your organization?

24. How effectively are you managing identified risks?

25. What are you doing specifically to manage identified risks (e.g. financial statement variance reporting, trend reporting, credit reporting, insurance policies, legal, BOD involvement and reporting)?

VI. Control Activities

26. What is your assessment of the effectiveness of overall controls in preventing risks and carrying out risk activities within your organization?

27. How are control activities tested?

28. What type of review process takes place for policies and procedures?

29. What type of review process takes place for IT application controls and the IT general control environment?

30. What does the company do to address entity-specific controls?

VII. Information and Communication

31. How does the organization/your department capture information and communicate related risk?

32. What communications barriers are present within the organization?

33. What ongoing monitoring activities are in place (e.g. compliance monitoring, IA, risk management group, BOD monitoring, etc.)?

34. How are control-evaluation results communicated?

Internal Auditing: Increasing Reliability

Filed under: Artikel seputar Internal Audit — internalauditindonesia @ 12:00 am
Expert tips for making internal auditing indispensable to external auditors and the governance process.

by Christina Brune, Editor of Auditwire

“This article was reprinted with permission from the Jan/Feb 2004 Issue of Auditwire, published by The Institute of Internal Auditors, Inc.,”

The string of U.S. corporate failures and resulting legislation and regulations during recent years have placed a spotlight on the relationship among external auditors, internal auditors, and the organizations they audit. As the dust settles and the Public Company Accounting Oversight Board (PCAOB) begins issuing standards to guide auditors in the professional pursuit of objective auditing, one question weighs on the minds of chief audit executives (CAEs): How much will the external auditor rely on the work of internal auditing for internal control assurance and financial statement attestation?

Although the PCAOB’s recent exposure draft suggests that external auditors’ reliance on internal auditing may soon be limited, The IIA offers another viewpoint: “We think that the auditor should be able to place much more reliance on a competent and objective internal audit function than the proposed standard indicates. It should be left up to the professional judgment of the external auditor as to the level of reliance to be placed on the work of others. Internal audit functions in compliance with The IIA’s Professional Practice Framework, including the International Standards for the Professional Practice of Internal Auditing (Standards), demonstrate a number of dependable qualities such as ethical integrity, independence, competency, and sound audit planning with a focus on risk management.”

Until the PCAOB releases its final determination, external auditors will likely continue to rely upon the work of the internal audit function for risk analysis and ongoing testing of the organization’s internal controls. For the time being, the two have a symbiotic relationship. In many instances, internal and external auditors work closely to ensure that the organization’s financial and operational risks are identified, controls are thoroughly tested, and regulatory requirements are in compliance. Together, they provide broader coverage and exhibit the fullest use of the organization’s resources.

To maintain this partnership and to limit redundancy of audit testing for control validation, internal auditors must prove that their work is reliable. External auditors from three prominent certified public accounting firms spoke with Auditwire and described, from their perspective, what constitutes “reliability” in an internal audit function. As one would expect, many of the characteristics they consider valuable are requirements of The IIA’s Standards.

Competent staff

External auditors agree that an educated, experienced internal audit staff is one of the most important considerations when assessing the reliability of an organization’s internal audit function. “We typically review the internal auditors’ professional background, training, and expertise, and in many cases request a résumé,” says Gerry Pfeiffer, partner and director of the Financial Institution Practice for Clifton Gunderson LLP in Peoria, IL. “IIA membership and the presence or pursuit of certifications implies a degree of professional integrity, competency, and a commitment to ongoing training,” he adds. Pfeiffer also values internal auditors who keep up with current events in their specific industry and the changing audit standards.

Wayne Kolins, national director of assurance for BDO Seidman LLP in New York City, likewise examines the internal auditors’ credentials, how long they’ve been in their current position, and whether or not they hold a degree in accounting or are certified public accountants (CPA). “Their longevity at the company and how well they understand the business are also important,” he says. “Being a CPA may not be essential, but it certainly would help. I think it would also help to see whether any of the internal auditors had public accounting experience, so they could better understand how the external auditors operate and the kind of testing that the external auditors would be doing.”

Independence of internal audit function

Another top concern is internal auditing’s reporting line and its independence. “In my view, internal auditing needs to report directly to the audit committee,” says Michael Hall, managing partner of Grant Thornton’s Chicago office. “When we go in and see a structure where the internal audit department is reporting to the chief financial officer (CFO), and the CFO determines what areas will be audited and has significant control over the determination of risk areas, it’s not independent. I wouldn’t rely on any of their work.”

Kolins agrees that objectivity is compromised when a CAE reports only to the CFO. “The CAE should report directly to the audit committee, with no impediment in terms of going through the CFO, in cases where he or she sees issues arising,” he says. “Direct access to the audit committee is critical. We give a lot more credence to an internal audit staff that has a strong reporting line to the audit committee.”

Responsiveness to findings

Hall points out that although the organizational chart is important, another indicator of a truly objective and effective internal audit organization is its ability to effect change. “Ideally, we like to see past audit reports that have been supported by the audit committee and management and changes in the control structure based on those reports,” he says, adding that his group takes it seriously when there is strong tone at the top of the organization that supports internal auditing. “If you’re in a situation where issues have been raised by the internal audit group, and nothing has been done about those issues – even though they’ve been reported to the audit committee – you need to take a closer look at why the audit committee isn’t taking them seriously enough to go back to management or the CFO and ask them to correct the problem or provide more information.”

Function that’s not outsourced

Some external auditors have found that they’re able to place greater reliance on internal auditing when the function is performed by the organization’s own employees. “Personally, I greatly value the internal audit effort within a company and strongly prefer that clients have internal audit departments as opposed to outsourcing that function,” Pfeiffer notes. “I think competent, qualified internal auditors working within the company can provide more daily observations and insights into the company rather than external individuals who come in on a piecemeal basis.”

Solid audit plan

A well-constructed audit plan that covers at least a year is key to eliciting external auditors’ confidence in the internal audit function. “What you want to see is a keen sense of risk analysis and a well-thought out and well-documented process for developing the annual audit plan,” Hall explains. “You might ask, ‘How has internal auditing assessed the organization’s risks? Do they have a methodology that makes sense for risk assessment? And is the organization using this methodology? What areas are they looking at? And if there are significant areas that they’re not looking at, why not?’ If the internal auditors are going to be relied upon by the external auditors, you need to get an understanding of how they determine audit risks and assess whether they’re doing a good job of that. If every year, the internal auditor looks at the same areas routinely, that doesn’t give the external auditor a lot of comfort.”

Pfeiffer maintains that his team also evaluates the risk assessment process and looks at the scope, depth, and timing of the internal audit plan to see how they dovetail with the external audit plan. “We do sometimes influence the internal audit plan by asking the internal auditors to adjust the scope, timing, or overall extent of their work so as to permit greater reliance by us and to help avoid redundancy. Our preference is to coordinate our efforts so that we get the desired amount of work done at the right time,” he says.

Although Kolins indicates that his team also examines the internal audit plan and tries to use that plan within its own audit plan as much as possible, his group is guarded about sharing the external audit program with the organization. “Let’s say that internal auditing reports to the CFO, but has a dotted line to the audit committee,” he says, hypothetically. “In this day and age, we won’t tell the CFO about our detailed audit program, but we’ll share it with audit committee members, because they are the objective overseers of the company, and we’ll explain to the internal auditors what we’re going to do and what we’d like them to do to make our job more efficient. We don’t mind telling the audit committee or the internal auditors directly, as long as it is not divulged to the CFO or the rest of the company.”

High quality of work

“Perhaps the single most important indicator of reliability is the internal auditors’ ability, which is reflected in the work they do,” Kolins explains. “If after retesting a sample of their work, we have different findings or draw dissimilar conclusions, then we probably wouldn’t rely on the internal auditors. But if we come up with the same findings, then we have a basis for reliance.”

When beginning an audit of a particular area that has already been covered by internal auditing, Pfeiffer examines the internal auditors’ reports, programs, questionnaires, and specific underlying workpapers. “I look for evidence that the internal auditors understood what they were auditing and that there was adequate evidence for their sign-off of the specific programs reviewed,” he says. “A significant concern of mine would be if the audit programs or related workpapers were superficial in nature, didn’t bear evidence of an actual sign-off, or didn’t appear to be supported by workpapers giving evidence to the specific comments. Typically, those types of things translate into a superficial audit that lacks substance.”

Hall also studies the internal audit reports issued during the previous year to get a feel for the quality of internal auditing’s work. “If the internal audit group rarely comes back with any findings or recommendations, it either means that we’re dealing with one heck of a company, or maybe the internal audit function is subpar,” he says, adding that it’s imperative for internal auditing’s work to be well documented. “In today’s day and age, the view is, ‘If it’s not documented, it’s not done.'”

Communication with the external auditors

Another component of internal auditing’s perceived reliability is the audit group’s coordination and communication with the external audit team. “I appreciate a CAE who engages in a dialogue with the external auditors and the audit committee regarding new issues and hot buttons facing the corporate entity,” Pfeiffer notes. “Over time, hopefully, the external auditors serve as a sounding board for the internal auditors, and we establish a rapport so that if they have specific technical questions regarding a new area that they’re auditing, we can provide advice and training as a mentor. The mutual goal would be for internal auditors to perform higher quality audits. And that would enable us to place greater reliance on them.”

A new perspective

In the audit field, which is chock-full of objective, methodical investigation, it’s somewhat ironic that many external auditors don’t have a point system or numerical rating to help them determine objectively whether or not the internal auditor’s work is reliable. Instead, it’s purely a judgment call. At the end of the day, internal auditors must impress the external audit team with their independence, competency, and the quality of their work.

Not coincidentally, many of the characteristics common to reliable internal audit functions are required by The IIA’s Standards and are simply good practice for the prosperity of any internal audit group. However, it’s a good idea for CAEs to assess these issues not only from the perspective of their own successfulness, but also through the eyes of the external auditor to promote the most trusting partnership professionally possible.

Visit The IIA’s Standards online for more information about topics such as:

  • Independence.
  • Professional proficiency.
  • Scope of work.
  • Audit planning.
  • Internal-external audit coordination.
  • Risk management.
  • Recording information.

Using technology to make SOX a less costly, more reliable process

Filed under: Artikel seputar Internal Audit — internalauditindonesia @ 12:00 am

Many organizations have spent millions of dollars and tens of thousands of man-hours to complete the documentation, testing and reporting required by the Sarbanes-Oxley Act (SOX). In retrospect, many organizations faced two very common issues.

1. Documenting too many controls

When SOX compliance was in its infancy, no one was certain how many documented controls constituted too few, too many, or just right. Preferring to err on the side of caution, most companies documented every control they could find. Not just key controls, but every control.

2. Documenting mostly manual controls

SOX teams often lacked ERP experts with a detailed understanding of the embedded system-based controls (often called configurable controls). Therefore, they mostly documented manual controls.

The net effect of these errors is that companies performed very extensive and largely manual testing. These “testing projects” occur quarterly and annually for the 302 and 404 certifications. Often, this is costly work that is not adding value or improving the internal control environment.

Most companies seasoned in SOX compliance are beginning to change their approach. Rather than approach it as a project, they see the advantages of treating it as an ongoing process. Taking a process-based approach to SOX compliance helps companies maintain strong internal control over financial reporting and saves money in the long-term. To accomplish this, proper use of technological tools is key in creating an effective and sustainable transition from project-to-process.

Automating and optimizing controls

Technology plays a big role in moving SOX compliance from a project to an ongoing, sustainable process. Manual controls are more prone to failure than automated controls; they are detective rather than preventive, identifying problems only after they have occurred; and they are ad-hoc, meaning only a portion of all transactions are evaluated and tested.

Optimized automated controls are systems-based, preventive and managed. These features allow companies to engage in more self-assessment, entity-level and process-level monitoring, and automated testing. Also, automated testing more accurately covers a larger universe than manual testing.

The role of technology in regulatory compliance can be broken down into two parallel tracks – (1) automation of the internal control environment and (2) automation of the compliance process. By automating the control environment and compliance process, companies are able to test and review controls throughout the year, providing the documentation and reporting materials needed to more easily comply with quarterly and annual reporting requirements.

In many instances, companies do not need to purchase expensive new technology tools. Many companies can make significant advances by making better use of the applications and tools they already use. The result is improved sustainability, lower costs and greater value to the internal control environment and compliance process.

ERP companies and other business technology vendors recognize the benefits they can provide to the control environment and compliance process. As a result, they have been improving their products in an evolutionary way.

Continuous control monitoring

The highest levels of compliance technology provide continuous control monitoring and improvement, and supports enterprise risk management (ERM). With continuous control monitoring, companies achieve preemptive SOD conflict analysis, real-time transaction exception monitoring and master data and configuration change alerts. These features keep management on top of, and in many instances, ahead of developments. They can immediately detect problems or often anticipate and avoid them.

ERM provides the greatest value to the organization. With ERM, companies have the ability to integrate compliance frameworks, tools and data. They gain portal access to personalized risk management information. They also enjoy the benefits of proactive risk identification and evaluation.

To achieve sustained value from application controls, organizations must first attain a high level of process maturity. Process maturity implies a high degree of control automation, control reliability and preventive-versus-detective controls. This entails properly configuring controls for the control universe, assessing existing controls, identifying gaps and opportunities, and implementing necessary control and process changes. SOD issues must also be addressed, including the design and acquisition of rule sets, assessment of existing roles and assignments, identification and mitigation of potential gaps, redesign of roles where necessary and cleanup of assignments.

Once process maturity is achieved, SOX compliance costs become much more predictable. They are also lower than the expected costs of a manually driven project approach. This decrease in cost occurs because most of the controls testing, monitoring and documentation are automated and woven into business processes.

The move from manual to control automation entails an investment in people, tools and time. However, once automated controls and SOD are in place, organizations can actively maintain the environment. It is this active maintenance that ensures compliance becomes an ongoing process rather than a stand-alone project.

Keeping one’s guard up

Active maintenance is critical. Without active maintenance, companies with a strong automated control environment can eventually fall back into the “project” mode of compliance. This happens over time as a result of employee turnover, poor change management and other factors that decrease the effectiveness of the control environment. Eventually, the organization reaches a point where it must engage in another expensive project to bring the control environment back to a high level of effectiveness.

Along with active maintenance, continuous monitoring and automated testing enables organizations to stay on top of employee turnover, quickly address SOD issues and address changes in the environment to keep the technological tools current.

Vendor tools from Applimation, Approva, Logical Apps, Virsa, Oracle and Protiviti (Assure Controls) are key to helping organizations ensure active maintenance of their control environment. A story about a Protiviti SOX client illustrates the effectiveness of these tools.

Company A had been through nearly two years of SOX compliance when Protiviti brought in the Assure Controls tool to assess the company’s high-risk control areas. The findings fell into four categories.

  • In the first category, the tool identified 40 controls that matched to the automated assessment and tested without exception. The potential for improvement here resided in the ability to replace manual testing with automated testing.
  • In the second category were 69 controls that matched but tested with exception. This means 69 of the controls were being improperly relied upon at Company A. Potential for improvement included enhancing security and configurable controls and automating testing to achieve efficient and replaceable results.
  • In the third category, 98 controls were identified that were turned on but which were not mentioned in the control documentation. As a result, this company was missing opportunities to place more reliance on these controls and reduce manual testing.
  • The fourth category contained 145 controls that could have been implemented but were not. They were not identified in the documentation and tested with exception.

In the end, there were:

  • 109 already identified application controls that could be tested more efficiently, including the 69 that tested with exception.
  • 243 application controls that could be used to replace manual controls.
  • 214 potential security/configuration issues.

One conclusion to be drawn from this example is that prior-year testing and conclusions may have been wrong due to the inherent limitations of manual testing of sophisticated applications.

A further argument for using automated tools to transition from project-to-process is the stance of the external audit firms. They appear to be preparing to deploy sophisticated application analysis tools for future audits and Section 404 assessments.

By automating controls where possible and shifting the focus away from detailed application testing and onto the tools and rule sets used to monitor the applications, time and effort can be saved, with reliability of results greatly enhanced.

The need for active maintenance cannot be overstressed. Without a process to maintain and monitor the ERP control environment, it will likely weaken over time, forcing companies to spend significant resources to bring it back up to a high level of efficiency. It is the maintenance aspect that ensures SOX compliance remains a process that can be predictably and reliably managed.

Beyond the obvious—making room for IT at the ERM table

Filed under: Artikel seputar Internal Audit — internalauditindonesia @ 12:00 am

If executives and audit committee members think about enterprise risk management, they typically think about it in terms of business risks and impacts: adverse news reports, failure to meet sales objectives or turnover in key positions.

That is assuming they think about enterprise risk management at all.

But in this, the Sarbanes-Oxley era, it has become critical for companies to be thinking of ways to leverage the information gleaned from Sarbanes initiatives and investments. Smart companies will find that enterprise risk management provides an opportunity to go beyond Sarbanes-Oxley to manage their information technology across an enterprise risk management framework.

Why IT?
When an organization’s leaders set forth their annual goals and objectives, any analysis should incorporate technology risks. Yet it is hardly the norm for companies to think about the technology implications of their business risks. At worst, they are forgotten. At best, they tend to be an afterthought.

However, it is becoming clear that companies are trying to take better advantage of IT-enabling technologies to become more efficient. From a competition perspective, doing so may also provide them with a key strategic differentiator.

Take, for example, a retail firm that uses online package tracking to help its customers. The service is part and parcel of a business strategy to allow greater user access to data. Obviously, the risks of this strategy need to be considered: What happens if users are unable to access the status of a package? What if the status is not available to the user at the appropriate time? What if the information is not updated? All these risks, with their origins in business strategy, link back to technology and need to be evaluated as such.

Too often IT is siloed, and the risks are not uniformly managed from an overall business objective and business risk perspective. In short, IT frequently is playing catch-up, its leaders simply trying to make IT part of the conversation. In fact, IT leaders should be able to alert colleagues to key technology risks of business objectives, as well as potential downsides of using a particular technology to achieve an objective.

Technology’s far reach should not come as a surprise. Sarbanes-Oxley has clearly revealed that many IT risks and controls used to manage companies are not confined within the IT department. Sometimes business departments have their own systems and applications, which are critical to key financial processing elements. Furthermore, they own those applications; IT has nothing to do with them. It has also become apparent that spreadsheets pose their own difficulties. Applications in their own right, spreadsheets are key processing elements to financials and operations. Here again, however, issues arise concerning security, change management, and accuracy.

Third-party vendors are another critical, if often overlooked, nesting ground for technology risks any time data transactions occur with these parties. Companies need to understand, at a detailed level, what takes place in a vendor’s environment—and to obtain appropriate assurance regarding those activities.

In short, technology risks spread far beyond the confines of the IT department’s walls.

The crucial links—and an answer
Underlying any company’s success are a series of infrastructure layers, all of them linked. Business policies may direct the final step toward achieving intended results. But such policies would wither without a basis in sound business processes, carried about by people, who are, in turn, supported by reports and methodologies. And at the root of it all is data, generated by IT systems. Thus, it is critical for each element to be included in risk management considerations.

Enter the Capability Maturity Model. With its five defined levels of capability, it is a potent mechanism for measuring risk.

Take a software development company as an example. Its goal may be to achieve the so-called managed state, defined by a well-managed, enterprise-wide process to ensure delivery of quality software to customers. However, an examination of the processes used to develop the software and manage its quality might reveal an actual, operational capability at a lower state, the “repeatable” state, marked by excessive reliance on people rather than processes and a notable lack of controls documentation.

The model thus provides a clear picture of the current situation as well as the goal–and of the risks that lie between. The model also provides a road map, a means by which executives—particularly those who lack an IT background—can visualize and begin to manage technology risks from an enterprise perspective.

Bringing in Sarbanes-Oxley
How does this all tie in with a company’s Sarbanes-Oxley activities?

Typically, organizations carve up their IT compliance scope based on three levels of controls: entity level, application and general. Of course, all of this is driven by business processes and the applications supporting them. Just as important are the owners or managers of these applications, whether in-house or third party.

Invariably, what unfolds is a scenario involving a multitude of different processes for managing every IT application, each involving different people, different sign-offs and different controls, which, in turn, give rise to different documentation and testing requirements. At the same time, each application represents opportunities for companies to reduce the risk in their organizations from a business perspective.

Sarbanes-Oxley Section 404 compliance can be a starting point for enterprise risk management, with IT as a critical component. Through Sarbanes-Oxley compliance activities, companies can identify opportunities to better manage risks and eventually move up the “food chain” to evaluate other compliance and operational risks outside the 404/302 mandate.

Ultimately, the IT perspective should become an important element in executive settings and strategic planning efforts. Moreover, that should lead to opportunity for hard-dollar savings, such as reduced duplication of IT management processes and reduced testing and management of IT controls. Among the many potential benefits:

  • Better business alignment
  • Process maturity
  • Comprehensive IT assessment
  • Robust IT risk inventory
  • Improved application and system delivery results
  • Greater awareness of technology’s impact
  • Increased coordination and collaboration between the business and IT leaders, and better use of IT for competitive advantage.

Make no mistake: leveraging Sarbanes-Oxley in the context of an IT-ERM framework brings tremendous value to the organization, synergistically and financially—which should be enough to convince even the strongest skeptics.

Mei 7, 2010

The Next Step: Extracting Value from Sarbanes-Oxley

Filed under: Artikel seputar Internal Audit — internalauditindonesia @ 12:00 am

The Next Step: Extracting Value from Sarbanes-Oxley

By Colleen O’Donnell KnowledgeLeader contributing writer

Accompanying the Sarbanes-Oxley Act of 2002 was a ruling by the Securities and Exchange Commission requiring that publicly traded companies expedite external financial reporting timelines. This ruling would have garnered greater attention if not for SOA, which has consumed finance resources. However, as SOA Year One is wrapping up for a majority of filers, the new financial close timelines have taken the spotlight. In many situations, SOA compliance has added work tasks to the month-end close process and the financial executives are wondering how they will meet the demands of the regulators and continue to run their businesses.

The answer is buried in their SOA documentation; all they have to do is dig. Within the mountain of SOA documentation, there are opportunities to accelerate the month-end close process while reducing both cost and risk.

The task-level process review required by SOA was necessary to highlight internal control weaknesses. However, this granular view also can identify redundancies, inadequate systems tools and process quality (accuracy) issues that reduce effectiveness and efficiency.

With Year One behind most companies, this is the perfect time to mine the data while preparing for Year Two. “Most companies have thoroughly documented their month-end close process,” says Jim Pajakowski, a managing director at Protiviti, “but they haven’t had time to improve it. They’ve learned a lot but haven’t acted yet to comply with the new SEC requirements. Companies have to do more now, and they have less time to do it.”

Does your process measure up?

Companies that have implemented sophisticated ERP software tools continue making a large number of manual journal entries to close their books. These entries are often to correct errors that were made during the month or to capture transactions that were recorded on spreadsheets. While it is comforting to know that back-end, manual controls are working; this is a high-risk strategy. Continued reliance on manual controls is neither an effective nor efficient method to close the books each month.

Key indications that a company’s finance processes would benefit from a month end close review include:

  • A month end close cycle exceeding five days
  • A lengthy delay between the close and issuing statements
  • A history of restatements
  • A large number of manual journal entries to record transactions or make adjustments and reclassifications
  • A high dependency on spreadsheets to record accounting transactions or support manual journal entries
  • Limited time for financial and operational analysis

Long closing cycles minimize the time for value-added analysis. Finance organizations need to migrate beyond transaction processing and error detection in order to become strategic business partners with their customers.

Improving the process

Following Year One, many companies are left wondering how they can improve the efficiency of the close process while ensuring that they don’t endanger the 404 compliance they worked so hard to achieve. The first step is to analyze the existing SOA documentation to determine the current process tasks and performance results. “Because companies already have a baseline, they can hit the ground running pretty fast,” says Brian McGregor, a senior manager at Protiviti.

Tom Batina, a managing director at Protiviti, says companies have the unique opportunity to challenge what they’re doing. At every step in the process, companies should ask:

  • Why do we do this?
  • Does it add value?
  • Is it an effective control?
  • Can it be eliminated or simplified?
  • Can it be automated?

“This is an excellent opportunity to take advantage of the knowledge gained from Sarbanes-Oxley efforts to make significant improvements,” adds Pajakowski. “Eliminate things you shouldn’t be doing. Simpler processes are more efficient, and they’re easier to control, too.”

As companies work to increase quality, they often find that errors tend to occur outside of accounting and finance: time or production reporting errors, receiving/shipping cutoff issues, and account coding errors. By tracing the error upstream to the root cause, finance organizations can attack the issues that create additional work pressures for them during the financial reporting process. From there, the company can develop the necessary changes that eliminate duplicate work, reduce cycle times and minimize manual tasks. Companies with best-in-class month-end close processes:

  • Minimize the number of manual journal entries
  • Automate recurring journal entries
  • Link subsidiary ledgers directly to the general ledger
  • Limit the number of general ledger trial balance runs to two
  • Perform account analysis and reconciliations outside the close cycle
  • Incorporate estimation techniques in non-quarter month-end closes
  • Set materiality tolerance limits for adjusting journal entries
  • Use key performance indicators measuring quality, cycle time and cost
  • Leverage analytical software tools that are linked to the general ledger to minimize manual data entry and facilitate the preparation and issuance of reports

In order to establish improvement targets and estimate the savings potential, finance organizations can measure their progress against a set of month-end close benchmarks including:

  • Month-end close cost as a percent of revenue
  • Month-end close cost per full-time equivalent
  • Staff per $1M in revenue
  • Number of days to close (monthly, quarterly, yearly)
  • Length of reporting cycle (earnings, annual report, 10K, 10Q)
  • Number of charts of accounts
  • Number of non-system journal entries

What you can expect to gain

SOA compliance has placed a heavy burden on public companies. Companies now have an opportunity to drive value from the compliance effort by digging into the documentation to identify where improvement is possible and then taking appropriate action.

Companies that implement finance best practice process techniques have reduced close and reporting cycle times significantly, thus allowing them to meet regulatory reporting requirements and provide value-added analysis for management.

“Getting better data quicker allows you to react to changes and run a business better,” says McGregor.

Batina adds, “What happens when an operating issue surfaces and management has to wait 10, 12, or 15 days for a report with little, if any, analysis? The problem has likely festered and will have an even greater impact on the next month’s results before management has a chance to install corrective measures. A simple process is easier to control than a complex one. As you increase quality, you decrease risk and cost not only in finance but in the business.”

Raising An Audit Issue Is One Thing, Closing It Out Is Another

Filed under: Artikel seputar Internal Audit — internalauditindonesia @ 12:00 am

Raising An Audit Issue Is One Thing, Closing It Out Is Another

Steve Stanek, KnowledgeLeader contributing writer

“The chief audit executive should establish a follow-up process to monitor and ensure that management actions have been effectively implemented on that senior management has accepted the risk of not taking action.” – International Standards for the Professional Practice of Internal Auditing: 2500.A1

Do an audit, reach findings, set action plans to address deficiencies, follow up. Sounds straightforward, but satisfactorily resolving audit issues can be complicated.

“Internal audit sometimes puts the cart before the horse,” says Larry Harrington, vice president of internal audit at defense contractor Raytheon Co. “Auditors sometimes think they must come up with the perfect recommendation. In reality, the best recommendations and action plans are developed by facilitating a dialogue with management and experts on the topic, to arrive at the most appropriate recommendation and action plans. Management owns the action plans so including them in the discussions reinforces their ownership.”

This is done at Raytheon, where they also maintain a database of action plans agreed to by management, according to Harrington. Management’s responsibility is to regularly review the database and note corrective actions that have been taken. Internal audit monitors the database on a monthly basis. Several weeks before a due date, the customer receives a friendly call to discuss progress on the action plan and ensure it will be completed on time. “This process often helps to expedite action plans that have been placed on the back burner due to other priorities and is a better approach than waiting until items are past due to follow-up. After all, internal auditors are here to create positive change, and these calls often help keep action plans on track.”

Raytheon’s chief executive also initiated a change to the standard monthly operational meetings to include one page devoted to any overdue audit recommendations.

“Part of what the database does is help keep action plans somewhat in the forefront,” Harrington says. “If the president must report each month to the CEO if he has overdue audit recommendations, this encourages the business folks to make sure they’re keeping pressure on the right people at the right time. This drives ownership where it belongs. We think this will help make sure action items get implemented timely.”

Raytheon had been outsourcing its internal audit function for the past five years, and several months ago it hired Harrington to bring it back in-house. Harrington reports to the CEO, and he attends all business reviews and strategy sessions.

“Internal audit must understand risks, and to do that it must have a seat at the executive table,” Harrington says.

Focusing on follow-through

David Walker, who teaches accounting and auditing at University of South Florida in St. Petersburg, FL., also serves on the audit committees of three public companies. He says reporting of deficiencies and follow-through on recommendations “has become a hot topic” in his classes because the reporting requirements of the Sarbanes-Oxley Act have focused corporations on those topics.

Sarbanes-Oxley, he says, has made follow-through on internal audit control matters more important from an audit committee standpoint as well. He recommends as a best practice the creation of a follow-through process, similar to that described by Harrington.

“A recommendation or issue should be raised, communicated, then tracked from that point forward,” Walker says. “The manager of the unit responsible would have to respond to the issue; perhaps an intermediate-term remediation would need to occur. There would need to be agreement on a timetable for completion of the remediation along with either follow-up testing or confirmation that the fix has solved the issue. From an audit committee perspective, that becomes a closed loop for each issue.”

Parveen Gupta, associate professor of accounting at Lehigh University in Bethlehem, PA., says use of technology is important to track action plans and check the status of remediation of audit findings, especially in large or complex organizations.

“On a conceptual level, if you’re using a software package, it could turn on various features that would generate some kind of audit report at a regular interval, like aging of accounts receivables,” he says.

He suggests the information to be tracked should directly relate to what would satisfy the requirements of PCAOB Standard No. 2, the standard on attestation engagements referred to in Section 404(b) as well as Section 103(a)(2)(A) of the Sarbanes-Oxley Act of 2002. It addresses both the work that is required to audit internal control over financial reporting and the relationship of that audit to the audit of the financial statements.

“Relate it to management’s assertions, to causal categories, to various accounts, to the control owners,” Gupta says. “Then you’d want to have other information, such as target dates for resolution, and, if possible, an indication of what kind of deficiency is being addressed.”

A critical step, according to Gupta, is developing complete documentation to explain:

1) How an audit issue was found
2) The process that was used to find it
3) How the issue was communicated to the control owner
4) The recommendations to remediate the problem

Remediation and retesting

Depending on the seriousness of the issue being addressed, the internal audit department may want to “pay attention to some of the demographics that are collected,” Gupta says. “They may want to include remediation in the audit plan for the next month or quarter, or maybe a representation from the hard-and-fast rule is impossible, because of many variables that can come into play. control owner is good enough. Internal audit needs to remember when they do initial audit planning at the beginning of the year, they should plan for some time for some of these things. If they are taking the lead in testing, they need to create slack in the budget to handle this.”

He suggests that any issue with “more than a remote chance” of being escalated to a material weakness should be remediated and retested.

He also recommends that the board of directors or audit committee set policy for how much time should be given to fix problems, depending on whether the issue is low, moderate or high priority. He adds, though, that setting a hard-and-fast rule is impossible, because of many variables that can come into play.

Even low-priority items can become major concerns if multiple small control deficiencies in an area turn up.

“It is possible that all those small deficiencies collectively could rise to the level of a material weakness,” Gupta says.

Judgement comes into play here as well as with the evaluation of management’s response, he says. If the control owner is not cooperating, the underlying reason must be determined.

“Internal audit will need to take a little bit of a leadership role,” Gupta says. ” Ask why they’re not paying attention. Ask, ‘Do you think it’s not serious? Let’s chat about it.’ It’s a question of judging the intent of management. If you feel the intent is malicious, bring that to the directors. Otherwise go through the normal chain of management.”

Getting management involved

Another way to make sure management takes audit issues seriously is to make their response part of their performance evaluation.

“If you find certain control deficiencies, when the supervisor of that unit is evaluated, show the amount of time to fix the problem. That will get attention,” Gupta says.

Basil Woller, a director in Protiviti’s Houston office, says management should always be involved in developing an action plan.

“Management ought to be convinced that the actions will address the issue that was raised,” Woller says. “The second thing to keep in mind is setting reasonable or realistic time-frames. If you have a significant area that is complex, and the fix is not easy, it may go across functional departmental lines and take a collaborative effort.”

University of South Florida’s Walker also raises that point. “Sometimes you’re going to find an issue that will require a systems change,” Walker says. “The manager is going to depend on resources from an outside department. It’s important to list all the responsible parties and be sure the IT department understands the importance of their role in meeting deadlines and remediating the deficiency.”

Financial Ratio Analysis Tool

Filed under: Artikel seputar Internal Audit — internalauditindonesia @ 12:00 am

1.   Performance Ratios

Return on Equity:

(Income After Tax, Before Common Dividends and Extraordinary Items / Total Shareholder’s Equity)

Return on Equity (ROE) represents the rate of return on the stockholder’s invested capital.  This ratio measures a company’s performance in using assets to generate earnings.  However, unlike the return on assets ratio, the ROE explicitly considers the financing of those assets.  Since the ratio measures the rate of return on the equity capital provided by the owners, the ROE should reflect not only the overall business risk involved, but also the additional financial risk assumed by the common shareholder because of the prior claim of the firm’s debt.  Thus this measure of profitability incorporates the results of operating, investing and financing decisions.  This common benchmark is used by stockholder’s to determine what to pay for a stock.  The higher the ROE, the more the common shareholders will receive in return on their invested capital.  A higher return, though, can also involve greater amounts of risk, often due to high leverage.

There are also some limitations to the use of this ratio.  ROE is based on earnings, which are influenced by the accounting methods selected by a company.  It does not take into account cash flows or the time of cash receipts (present value concepts).  Immediate receipts are more valuable than distant ones.  In some cases, an average is used for Total Shareholder’s Equity which can also distort the actual return.  The ratio tends to penalize companies that invest heavily in research and development, or use little debt.  The measure favors companies that pursue high-risk, high-leverage financing strategies or short-term, cost-cutting operating strategies.  For this reason, many companies have started to use Economic Valve Added (EVA) and non-financial measures as leading indicators that predict outcomes in financial measures.  Despite these drawbacks, ROE is still a standard ratio used by analysts.

Return on Capital:

(Net Income/Total Capital)

The Return on Capital (ROC) indicates the earnings available for all the capital involved in the enterprise (debt, preferred stock, and common stock).  This ratio will also be referred to as Return on Investment (ROI) and is a useful means for comparing companies in terms of efficiency of management and the viability of product lines (or management’s deployment of resources).  A higher ROC indicates a better utilization of assets and if this ROC is not commensurate with the perceived risk of the company, the question should be raised regarding whether the entity should continue to exist, since capital could be used more productively elsewhere in the economy.

Some problems with ROC are that it does not take into account how the company utilizes the assets on an operating level (see Return on Assets).  In addition, the ROC uses earnings and total capital which are both affected by accounting practices.

Return on Assets:

(EBIT/Average Total Assets):

The Return on Assets (ROA) measures a company’s performance in using assets to generate earnings independent of the financing of those assets.  The ROA relates the results of operating performance to the investments of a company without regard to how the company financed the acquisition of those assets.  The EBIT used in computing ROA is the income before deducting any payments or distributions to the providers of capital (including interest payments).

The ROA has particular relevance to lenders, or creditors since these parties have a senior claim on earnings and assets relative to common shareholders.  When extending credit, creditors want to be sure that the ROA generated by the company exceeds the cost of funds to the lender.  ROA also provides an indication of the ability of the company to earn a satisfactory return on all assets.

Net Profit Margin:

(Income After Tax, Before Dividends and Extraordinary Items / Nets Sales)

Net Profit Margin focuses on the profitability of each dollar of sales.  A simple way to view it is as the proportion of sales that makes its way into profits or as a company’s ability to control the level of expenses relative to revenues generated.  If the Net Profit Margin is low compared to other companies within the same industry, then the organization is converting fewer sales dollars into net income that its competitors.  This can be an indication of difficulties with the company.  A higher Net Profit Margin could indicate greater efficiency in sales and cost containment/reduction.

This ratio is affected by a wide range of variables including Gross Profit Margin, Operating Profit Margin, the effective tax rate, and interest coverage.  Changes in Net Profit Margin can be substantial but may be a wrong indication due to the influence of the other variables.  For example, the Net Profit Margin may increase but sales might decrease significantly, offsetting the change in margin.  Such a situation could even reduce profits.

Gross Profit Margin:

(Net Sales – Cost of Goods / Net Sales):

Gross Profit Margin focuses on the proportion of sales dollars that are available to cover overhead and profits after deducting the cost of goods sold.  The higher the Gross Profit Margin, the more funds the organization has to cover expenses after the cost of inventory is considered.  This ratio is an indicator of the pricing strength and product cost structure of a company, and it is a useful benchmark of the overall cost of materials, the relative productivity of a company’s production facilities, control over cost of sales, and pricing policies.  Changes in Gross Profit Margin, like Net Profit Margin, have to be considered with all other variables to properly assess the affects of chains in the indicator.

The emphasis on facilities and materials limits the measure’s effectiveness in explaining differences across industries, since these measures vary from industry to industry.  This is especially true when groupings of similar industries are used for benchmarking comparison.

Operating Profit Margin:

((Net Sales – Cost of Goods Sold – Selling, General, and Administration Expenses) / Net Sales)

The Operating Profit Margin presents the percentage of sales dollars remaining after the cost of operations (Cost of Goods, Selling, General and Administrative Expenses)  have been expensed.  The ratio indicates effectiveness of a company’s production and sales efforts in generating profits before taxes, finance charges, dividends and provisions for capital needs.  The variability of this profit margin over time is a prime indicator of the business risk of a company (the A-Score model uses this type of historical volatility measure in assessing financial distress risk).  The higher the Operating Profit Margin, the more effective the company is at generating a profit.

Interpreting trends in the Operating Profit Margin needs to include an analysis of trends in other measures such as sales.  For example, a declining trend in the Operating Profit Margin may signal that a company is lowering prices to boost sales in response to its  marketplace.  In this case, although the margin in decreasing, sales are increasing and profitability might remain roughly the same.

Revenue Trend:

(Net Sales Current Year / Net Sales Prior Year) – 1

This chart shows three years of history for the percentage growth (decline) of revenues for the given company, and for its peer group.  A company with strong continued growth in revenues is one that is able to continually sell its service or product in the market place.  Erratic growth or decline, on the other hand, may indicate problems in attracting customers for the product or service.  A faster or slower change compared to the industry change may indicate gain or loss of market share.

Net Income Trend:

(Pretax Income Current Year / Pretax Income Prior Year) -1

Net Income Trend indicates the growth of the excess of all revenues over all expenses for a company, and its peers, for three years.  Decrease in net income would either represent a decrease in revenues or an increase in expenses.  Increase in net income would be the reverse.  Erratic changes in this percentage could indicate the generation of revenues from one-time, extraordinary items, and thus ought to be investigated.

Operating Income Trend:

(Operating Income Current Year / Operating Income Prior  year) – 1

This measure is the same as Net Income Trend above except that Other income and Expense, Taxes, Discontinued Operations, Foreign Currency Translation, and Extraordinary Items have been eliminated from the revenue stream to give an indication of margin directly attributable to the operations of the business.  This trend should be examined in concert with Net Income Trend in order to identify any irregularities in reporting income.

Asset Turnover:

(Net Sales / Average of Total Assets)

Asset Turnover looks at how effectively a company is utilizing its capital to generate sales by measuring the company’s ability to generate revenues from a particular level of investment in assets; the greater the Asset Turnover, the greater the company’s performance.  A lower asset turnover in comparison to others in the same industry is a signal that a company is carrying a higher and potentially excessive investment relative to its peers.  A higher rate, on the other hand, generally reflects a company’s ability to generate sales with fewer assets.

A capital intensive company needs a larger portion of total assets, usually fixed assets, to operate.  Capital intensity is also related to the type of industry.  For example, utility companies are very capital intensive with high investments in cable, equipment, building, etc.  Capital intensity may or may not be a positive or negative aspect.  It does depend upon the industry and the environment in which the company must function.

The ratio does have limits.  Asset Turnover can drop sharply when capital expansion projects do not immediately yield offsetting sales.  In addition, leased assets are not usually recorded on the balance sheet, which means that companies can achieve high asset turnover rates by using leased assets to generate sales.  Unless this is known, high turnover rates can be incorrectly interpreted as indicating a stronger position relative to other companies in the industry.

Accounts Receivable Turnover:

(Net Sales / Average Accounts Receivable (Net))

Accounts Receivable (A/R) Turnover indicates how many times the receivables portfolio has been collected during a period which provides an indication of the number of times an organization can convert its receivables into cash in one year’s time.  A relatively high A/R turnover may signify that a company has shortened it’s billing period and collects payments on outstanding sales better than other organizations in its industry.  A company’s credit policies greatly affect the turnover rate.  A high turnover might reflect tighter credit policies and missed sales opportunities.  In addition, the A/R Ratio can be misread.  As an organization tries to expand its customer base, it might reduce credit restrictions to encourage sales.  In doing so, the A/R turnover will be affected, but the overall (long-term) result may be beneficial.

Inventory Turnover:  (Cost of Goods Sold / Average Inventory Balance)

Inventory Turnover conveys the number of times the inventory of a company is sold and replaced during a given period (usually one year).  This ratio is also referred to as the inventory utilization ratio.  It can be considered a measure of efficiency.  A high ratio might signal that inventories match market demand while a low ratio could signal a variety of problems such as excessive levels of outdated inventory, incorrect mix, production problems, etc.  This measure is important because high inventory turns generally require smooth running operations, correct marketing decisions, and effective organizational interactions between different functional areas such as manufacturing, sales, and product development.

Because sales are recorded at market value and inventories are normally carried at cost, it is more realistic to obtain the turnover ratio by dividing inventory into cost of goods sold rather than sales.  However, it is conventional to use sales as the numerator because that is the practice of compilers of published financial data.  So in order to provide comparability, the sales figure is the numerator.

The inventory turnover ratio combined with the A/R ratio are the building blocks for determining the length of the operating cycle.  An organization with a shorter operating cycle, high Inventory Turnover and high A/R Turnover, has a greater potential to be profitable.  It signifies that the company can sell its products efficiently and receive payment quickly.

2.   Financial Status Ratios

Current Ratio:

(Current Asset / Current Liabilities)

The current ratio indicates a company’s ability to pay off short term obligations with current assets.  At a glance, it gives an investor an idea of how many dollars included in current assets can cover $1 of current liabilities.  The greater the ratio the more dollars in current assets to pay current liabilities.  The measure is frequently used to assess investment risk:  How liquid is the company?  How easily it can respond to changes in its environment that might demand near-term cash outlays?  In general, a company that has a small inventory and readily collectible accounts receivable can operate safely with a lower current ratio than a company whose cash flow is less liquid and less dependable.

The ratio’s primary limitation is that it includes inventory which might not be readily convertible to cash.  The Quick Ratio attempts to remove this limitation, examining how well a company can respond in a near-crisis situation without selling inventory.

Quick Ratio:

(Current Assets – Inventory / Current Liabilities)

The Quick Ratio or Acid Test Ratio is a measure of a company’s ability to pay off short term obligations without relying on the sale of inventories, which may not be as liquid as certain other current assets.  Unlike the Current Ratio, it includes only a company’s most liquid assets.  Like the Current Ratio, it is used as a way to assess investment risk which gives an idea of how many dollars of current assets cover $1 of current liabilities.  The greater the ratio is, the more liquid assets a company has available to handle current obligations.  Assuming there is nothing happening to slow or prevent collections, a quick ration of 1 to 1 or better is usually satisfactory.

Long Term Debt to Capital:

(Long Term Debt / (Long Term Debt + Total Common Shareholders’ Equity, Preferred Stock, and Minority Interest)).

Financial leverage occurs when a company finances its assets through debt instruments rather than equity.  Long Term Debt to Capital measures the extent of this leverage.  The larger the ratio, the more leveraged the company.  A company with a higher leverage has a smaller percentage of owner’s equity relative to debt in the capital structure.  If the company earns more on its investments financed with borrowed funds than it pays in interest costs, then the return on the owners’ capital is magnified or “leveraged.”  Since owner’s equity is the denominator in ROE, a highly leverage company has the potential to achieve a greater ROE.  However, this potential for greater returns may be matched by higher risk.  Creditors, in general, prefer low debt to capital ratios, since the lower the ratio, the greater the cushion against creditors’ losses in the event of liquidation.  While owners might patiently wait for returns, creditors demand repayments in good times and bad.  However, comparison of this ratio can be misleading.  The most significant reason for difficulties is that the market value and interest costs of the debt, which can be more important factors, are not reflected in the Long Term Debt to Capital Ratio.

In assessing the Long Term debt to Capital ratio, analysts customarily vary the standard in relation to the stability of the company’s earnings and cash flows from operations.  The more stable the earnings and cash flows, the higher the debt ratio considered acceptable or safe.  In addition, with the consideration of long term debt, it is also good to review other long term obligations.  Certain long term obligations, not included on the balance sheet, require the company to make a series of fixed payments.  For example, if an organization uses long term operating leases to function, these amounts should be included in the ratio to get a better sense of the company’s actual leverage.

Interest Coverage Ratio:

(EBITDA/ Interest Expense)

Interest Coverage indicates how many times interest charges have been earned by the company on a pre-tax basis.  From the risk perspective of a credit analyst, a failure to meet interest payments would qualify as a default under terms of indentured agreements.  The interest coverage ratio measures a margin of safety and assesses the probability of a company’s failing to meet required interest payments.  The amount of safety desirable depends on the stability of a company’s earnings.

One drawback is that the ratio uses earnings rather than cash flows in the numerator.  Companies pay interest and other fixed payment obligations with cash, not with earnings.  As a result, many analysts will calculate an interest coverage ratio with operating cash flow as opposed to earnings.  When the value of the ratio is relatively low (for example one to two times), some measure of cash flow, such as EBITDA minus capital expenditures, should be used in order to determine if a cash flow problem exists.

It is interesting to note that 1 minus the reciprocal of the coverage ratio indicates how much earnings could decline before it would be impossible to pay the fixed interest charges; for example, a coverage ratio of 5 means earnings could decline by 80% (1-(1/5)), and the company could still pay the fixed financial charges.

Long Term Debt to Cash Flow:

(Total long term debt / (Income before extraordinary items + deferred tax provision + depreciation and amortization expense + equity losses (earnings).

Companies operate on actual cash flow generated and this ratio shows the relationship between the cash generating capability of the company’s operations and the eventual cash outflows required to pay outside creditors.  It ignores other typical cash requirements such as capital expenditures since these are often delayable at the company’s discretion while debt payments are not.  It also does not consider maturity schedules which obviously are a key determinant of when the cash is needed.  Despite these drawbacks, its simplicity makes it a useful initial indicator of potential problems.  This ratio measures the number of years it would take the company to pay off its long-term debt based on current cash flow.

3.   Market Value Ratios

Price/Book Ratio:

(Market Price Per Common Share / Book Value Per Common Share)

The ratio indicates the amount shareholders are willing to pay for the net asset value underlying a share of stock.  A ratio greater than 1 suggests that investors consider the net assets to be more valuable than book value.  Usually companies with relatively high rates of return on equity sell at higher multiples of book value than those with low returns.  Thus, the more valuable the stock to investors, the higher the Price/Book Ratio will be.

This ratio also indicates the value that the market attaches to the management and the organization of the company as a going-concern.  Since book value represents historical cost, a well-run company with strong management and an organization that functions efficiently should have a market value greater than, or at least equal to, book value.  A market to book value ratio of less than one, indicates that the market values the company at less than the book value of its net assets.  Such result should be viewed as an indicator of risk.

The comparability of the ratio is limited by differences between the book value of large intangible and undervalued assets and their true worth and differences in the age and depreciation of property, plant, and equipment.

Price/Earnings Ratio:

(Market Price Per Common Share / Earnings Per Share)

The Price/Earnings Ratio shows how much investors are willing to pay per dollar of reported or projected profits.  The P/E ratio which is also commonly referred to as the multiple, gives an investor an idea of how much they are paying for a company’s earning power.  The higher the P/E, the more the investors are paying, and therefore the more earnings growth they are expecting.  In general, high P/E stocks – those with multiples of 20 – are typically young, fast-growing companies and companies in high growth industries.  They are far riskier to trade than low P/E stocks, since it is easier to miss high-growth expectations than low-growth predictions.  Low P/E stocks tend to be a low-growth or mature industries, in industries that have fallen out of favor, or in old, established, blue-chip companies with long records of earnings stability and regular dividends.  In general, low P/E stocks have higher yields than high P/E stocks, which often pay no dividends at all.

The P/E ratio may either use the reported earnings from the latest year (called a trailing or LTM (Last Twelve Months) P/E) or employ analyst’s forecast of next years earnings (called a forward P/E).  The trailing P/E is listed along with a stock’s price and trading activity in the daily newspapers.  For example, a stock selling for $20 per share that earned $1 last year has a trailing P/E of 20.  If the same stock has projected earnings of $2 next year, it will have a forward P/E of 10.

There are several limitations of using P/E Ratio to assess a company’s position.  When using a trailing P/E, the market price (numerator) is focused on future returns while earnings (denominator) are historical in nature.  Significant fluctuations in the P/E ratio can occur over time caused by erratic earning patterns.  Also, cross-company comparison is difficult due to different accounting and financing techniques.  These considerations should be taken into account when using the ratio to determine a company’s relative position.

Price/EBIT Ratio:

(Market Price Per Common Share / (Net Income Before Interest, Taxes, and Extraordinary Items))

Similar to the P/E ratio, Price/EBIT reflects how much investors are willing to pay per dollar of reported or projected operating profits.  As discussed above, one of the limitations of the P/E ratio is that certain accounting and financing decisions (e.g. one-time charges and debt-equity mix) of a company can impact net earnings.  The Price/EBIT ratio adjusts the earnings component to reflect operating results in an attempt to calculate a relative multiple that is not affected by certain accounting and financing decisions.  Price to EBIT reflects the investors’ attitudes on operating earnings, both trailing and future.  A relative comparison such as Price/EBIT between similar companies will provide a better understanding of how the market values the operations of a business than the P/E in some cases.  The higher the ratio, the higher the expected EBIT in the future.

The limitations of the Price/EBIT ratio are similar to those encountered when using the P/E Ratio.  Again, the comparison of future returns based on historic earnings is used.  Fluctuations can occur due to erratic revenues or expenses.  Although the Price to EBIT ratio removes some accounting affects, comparing companies in the same industry can still be difficult because of such issues as inventory methods.

Maret 1, 2010


Filed under: Artikel seputar Internal Audit — internalauditindonesia @ 12:00 am

I. Pengantar

Pelaksanaan pemeriksaan/audit terhadap internal kontrol perusahaan atas laporan keuangannya menurut metodologi SOX adalah barang baru di Indonesia. Hal ini disebabkan karena komisi pasar bursa Indonesia belum mengadopsi peraturan ini untuk diterapkan pada perusahaan yang sahamnya sudah diperdagangkan di pasar bursa dalam negeri. Di Indonesia, praktek pemeriksaan internal kontrol dengan metodologi SOX 404 ini hanya dilakukan segelintir perusahaan yang umumnya adalah perusahaan multinasional yang sahamnya diperdagangkan di pasar bursa AS dan yang beroperasi di Indonesia. Hanya sedikit jumlah orang yang mengetahui bagaimana pemeriksaan dan penilaian internal kontrol atas laporan keuangan menurut metodologi SOX 404 ini. Melihat kenyataan ini, kami berniat untuk membagikan pengetahuan tersebut kepada berbagai kalangan agar kiranya pengetahuan ini dapat dimiliki oleh semua pihak.

Panduan praktis ini kami susun berdasarkan peraturan Sarbanes-Oxely seksi 404, standard audit yang dikeluarkan oleh PCAOB (Public Company Accounting Oversight Board), dan pengalaman kami selama melakukan pemeriksaan internal kontrol dengan metodologi Sarbanes-Oxely seksi 404.

II. Sekilas Mengenai SOX (Sarbanes-Oxely) Act 2002

    SOX adalah sebuah peraturan yang mempengaruhi banyak pihak. Untuk auditor (ekternal dan internal), SOX merupakan sistem baru dalam proses audit perusahaan swasta, sebuah revisi atas independensi dan level baru dari proses pelaporan audit pada perusahaan publik. Untuk manajemen perusahaan diwajibkan untuk meningkatkan jaminan terhadap konflik kepentingan, sertifikasi yang jelas atas penyimpanan dokumen penting, pelaporan internal kontrol atas laporan keuangan dan perbaikan atas kriteria pengungkapan. Untuk audit komite, SOX merupakan sebuah lanjutan dari peraturan bagi perusahaan-perusahaan publik termasuk tanggung-jawab langsung untuk memantau proses audit eksternal, persetujuan awal atas seluruh jasa audit ataupun jasa bukan audit, revisi peraturan mengenai independensi dan keahlian keuangan dan pengawasan, menerima dan mencari pemecahan yang mungkin atas keluhan mengenai pelaporan keuangan perusahaan dan isu yang berasal dari hasil audit.

    SOX’s Act terdiri dari banyak bagian yang mempengaruhi banyak pihak; auditor, audit komite, dan manajemen perusahaan. Bagi perusahaan public, terdapat tiga bagian penting yang harus diperhatikan manajemen, yaitu ; seksi 404, 906, dan 302. Peraturan ini sudah mulai dilaksanakan oleh perusahaan-perusahaan publik di AS sejak dikeluarkannya peraturan tersebut, Juli 2002, namun yang menjadi penekanan adalah seksi 302 dan seksi 404.

    Seksi 404 berisi peraturan yang mewajibkan manajemen untuk menilai internal kontrol yang sudah dilaksanakan atas laporan keuangannya serta pengesahan dari auditor eksternal. Seksi 906 berisi peraturan yang mewajibkan manajemen perusahaan secara periodik untuk melaporkan segala sesuatu menyangkut informasi keuangan yang juga tunduk kepada peraturan bursa saham, serta menyatakan dengan benar kondisi laporan keuangan dan hasil operasi perusahaan. SOX’s act seksi 302 berisi peraturan yang hampir sama dengan seksi 906, tetapi seksi 302 berisi tambahan atas pengungkapan yang berhubungan dengan pengungkapan internal kontrol dan prosedurnya, serta internal kontrol dan penipuan/kecurangan.

    Seksi 404 secara khusus memberikan perhatian kepada internal kontrol perusahaan atas laporan keuangannya. Lebih lanjut, seksi 404 merupakan penilaian internal kontrol yang sudah dilaksanakan oleh manajamen perusahaan yang dilakukan oleh divisi internal kontrol atau divisi internal audit perusahaan atau bahkan auditor eksternal yang disewa perusahaan untuk mem-validasi internal kontrol yang ada di perusahaan.

    Dalam mengevaluasi internal kontrol yang dilaksanakan perusahaan, manajemen melalui departemen internal kontrol/audit, serta evaluasi yang dilakukan oleh auditor eksternal, perlu mempertimbangkan untuk menggunakan krangka yang disusun oleh COSO (Committee of Sponsoring Organization of the Tradeway Commission).

    Krangka COSO terdiri dari 3 dimensi , yaitu:

    1. Operasi;
    2. Laporan Keuangan;
    3. Kepatuhan;

    Ketiga dimensi tersebut memiliki beberapa kriteria untuk mengevaluasi internal kontrol perusahaan, yaitu:

    1. Pengawasan (monitoring);
    2. Informasi dan komunikasi (information and communication);
    3. Aktivitas Kontrol (control activities);
    4. Penaksiran Resiko (risk assessment);
    5. Lingkungan pengendalian (control environment);

    Pengawasan (monitoring)

    Beberapa atribut yang perlu diperhatikan auditor dalam kriteria informasi dan komunikasi:

    1. Penaksiran kinerja sistem kontrol yang ada;
    2. Kombinasi evaluasi secara terus menerus dan evaluasi terpisah;
    3. Defisiensi atas internal kontrol harus dilaporkan kepada top manajemen;
    4. Kombinasi antara evaluasi terus menerus dan evaluasi terpisah akan menjamin efektifitas sistem internal kontrol yang dirancang;

    Informasi dan komunikasi (information and communication)

    Beberapa atribut yang perlu diperhatikan auditor untuk memenuhi kriteria informasi dan komunikasi:

    1. Identifikasi informasi yang berhubungan, rekam dan komunikasikan dalam bentuk yang memungkinkan setiap orang dalam perusahaan untuk menjalankan tanggungjawabnya;
    2. Masukkan informasi yang berasal dari dalam dan dari luar perusahaan mengenai suatu kejadian, kondisi yang mungkin dibutuhkan dalam pembuatan keputusan bisnis atau bahkan laporan perusahaan kepada pihak luar;
    3. Aliran informasi yang mendukung kesuksesan kontrol; dari instruksi pada tanggungjawab manajemen sampai kepada perangkuman temuan yang perlu ditindaklanjuti oleh manajemen perusahaan;

    Aktifitas Kontrol (control activities)

    Atribut yang perlu diperhatikan auditor dalam aktifitas kontrol ini adalah kebijakan dan prosedur (policies and procedures) dalam setiap aktifitas perusahaan. Hal ini bertujuan untuk mengidentifikasi resiko-resiko yang akan dihadapi untuk mencapai tujuan yang telah ditetapkan

    Penaksiran Resiko (risk assessment)

    Beberapa atribut  yang perlu diperhatikan auditor dalam penaksiran resiko adalah:

    1. Prediksi ataupun penaksiran resiko atas tujuan yang telah ditetapkan, hubungan-hubungan resiko tersebut kepada bagian-bagian yang ada dalam perusahaan;
    2. Identifikasi dan analisis atas resiko yang relevan atas tujuan (objectives) yang telah ditetapkan;
    3. Bentuk dasar atas penentuan bagaimana seharusnya penanganan resiko yang ada;
    4. Mekanisme yang dibutuhkan untuk mengidentifikasi resiko khusus yang tidak terlepas dari perubahan yang ada;

    Lingkungan pengendalian (Control environment)

    Hal-hal yang perlu diperhatikan oleh auditor yang mencakup dalam lingkungan pengendalian adalah:

    1. Intergritas dan nilai-nilai etika;
    2. Kompetensi dari orang-orang yang ada di perusahaan;
    3. Filosofi perusahaan;
    4. Pelaksanaan tanggung jawab atas tugas yang dibebankan;
    5. Perhatian dan bimbingan yang diberikan oleh komisi perusahaan;

    III. Tahapan Audit berdasarkan pendekatan Sarbanes-Oxely Seksi 404

    1. Tahap Perencanaan Implementasi

    Dalam tahap perencanaan untuk implementasi SOX, departemen internal kontrol/audit harus bekerja sama dengan pemilik proses bisnis/manajemen terkait (Business Process Owner). Hal ini disebabkan karena pemilik proses bisnislah yang merupakan pemilik atas pengendalian internal/internal kontrol dalam proses bisnis yang menjadi tanggungjawabnya. Pemilik proses bisnis ini nantinya harus mengesahkan kontrol yang sudah dipetakan oleh auditor. Lebih lanjut, pada tahapan ini auditor harus menentukan sumber daya yang dibutuhkan untuk me-review proses bisnis yang kegiatannya mempengaruhi laporan keuangan perusahaan.

    Pada tahap perencanaan, auditor harus menentukan cakupan atas pemeriksaan yang dilakukan. Sesuai dengan standard audit (PCAOB; Public Company Accounting Oversight Board) No. 2, cakupan pemeriksaan SOX’s harus memperhatikan:

    1)    Lokasi-lokasi atas unit-unit bisnis dalam perusahaan yang memiliki porsi besar dari aktifitas perusahaan secara keseluruhan. Menurut PCAOB unit-unit bisnis yang besar operasinya 60 sampai 75% dari total operasi perusahaan dan dipertimbangkan mempengaruhi posisi keuangan perusahan untuk hal-hal berikut:

    –       Pendapatan (Revenue);

    –       Laba operasi;

    –       Pendapatan bersih (Net Income);

    –       Total Assets;

    –       Ekuitas pemegang saham;

    2)    Lokasi unit-unit bisnis yang memiliki resiko signifikan (misalnya; unit bisnis yang baru diakuisisi, pusat jasa layanan, dsb.)

    Contoh ruang lingkup pemeriksaan SOX 404, sebagai berikut:

    Siklus utama

    –       Aktiva tetap (Fixed Assets);

    –       Pembelian;

    –       Pendapatan;

    –       Pajak Penghasilan;

    –       Persediaan;

    –       Pelaporan Keuangan;

    –       Dana pensiun, dsb.

    Siklus Teknologi Informasi

    Merupakan kontrol umum atas penggunaan komputer perusahaan:

    –       Pengembangan dan implementasi sistem

    –       Pengelolaan atas perubahaan sistem

    –       Keamanan

    –       Operasi sistem

    Siklus lain juga dapat ditambahkan sesuai dengan kondisi bisnis perusahaan (besar perusahaan dan tingkat kompleksitas operasi perusahaan); misalnya: Royalti, ekuitas perusahaan, dsb.

    2. Tahap Dokumentasi Proses Bisnis (Walktrhough)

    Dalam tahap dokumentasi proses bisnis yang sudah termasuk dalam cakupan evaluasi SOX 404, tahapan yang perlu dilakukan adalah:

    1) Berdasarkan cakupan review (review scope) auditor mulai menjadwalkan pertemuan dengan manajemen yang bertanggungjawab atas proses atau siklus yang akan direview (Business Process Owner/BPO);

    2) Dalam pertemuan dengan manajemen terkait, auditor harus menjelaskan tujuan dan latar belakang serta apa yang akan diperlukan dalam review internal kontrol berdasarkan metodologi SOX Act seksi 404. Tujuannya adalah agar manajemen mengetahui dengan jelas apa itu review SOX seksi 404, apa hubungan antara aktifitas operasi mereka dengan laporan keuangan, dan apa dampaknya jika mereka tidak melaksanakan kontrol atau tidak memiliki kontrol atas proses produksi yang mereka lakukan. Lebih lanjut, agar pihak manajemen terkait mengetahui apa saja yang perlu mereka persiapkan untuk mendukung proses pelaksanaan pemeriksaan SOX, misalnya Standar Operasional, dokumen yang dibutuhkan, serta apa yang perlu dilakukan selama proses review internal kontrol oleh SOX auditor. Dalam proses ini, auditor harus menjadi partner dan konsultan bagi manajemen agar manajemen terbuka dalam mengungkapkan proses bisnis yang berada di bawah tanggung-jawabnya. Auditor juga harus membantu manajemen untuk memecahkan masalah yang dihadapi manajemen sehubungan dengan internal kontrol yang mereka laksanakan agar sesuai dengan kriteria Sarbanes-Oxely seksi 404. Perlu diperhatikan juga bahwa auditor kemungkinan perlu bertemu dengan berbagai pihak yang berhubungan dengan proses bisnis yang akan direview oleh auditor. Misalnya jika auditor ingin mereview persediaan, maka auditor harus bertemu dengan manajemen persediaan yang bertugas untuk menerima, mencatatkan persediaan pada buku persediaan gudang, dan mengeluarkan barang, serta akunting yang bertanggungjawab untuk mencatatkan pergerakan persediaan pada sistem akuntansi perusahaan, memantau pergerakan persediaan, serta bagian umum yang mungkin ikut ambil bagian untuk proses disposal persediaan;

    3) Auditor memetakan dan menggambarkan proses bisnis yang berada di bawah tanggungjawab manajemen bersangkutan. Pada tahapan ini auditor harus mendapatkan gambaran proses bisnis yang berada di bawah manajemen bersangkutan secara rinci, mulai dari proses operasi bisnisnya sampai dengan proses akuntansi (proses pencatatan dan jurnal) yang berhubungan dengan proses bisnis tersebut.

    Misalnya: Auditor ingin mereview internal control terhadap Aktiva Tetap perusahaan. Maka auditor perlu menangkap dan menggambarkan proses pencatatan aktiva tetap tersebut. Dimulai dari awal proses pencatatan aktiva tetap pada system akuntansi perusahaan (buku besar aktiva tetap), jurnal pengakuan aktiva tetap pada buku umum perusahaan (general ledger), metode perhitungan dan pencatatan penyusutan setiap bulannya, proses rekonsiliasi bulanan atas buku besar aktiva tetap dengan buku umum perusahaan, profisi dari aktiva tetap perusahaan (proses perhitungan sampai hirarki persetujuan atas besarnya profisi tersebut), proses disposal aktiva tetap (pengajuan sampai persetujuan dan pencatatan pada system akuntansi perusahaan);

    4) Auditor harus menerjemahkan proses bisnis yang sudah dipetakan berdasarkan penjelasan manajemen ke dalam bentuk bagan (flowchart) dan narasi. Bagan yang dibuat harus bisa mencerminkan proses bisnis secara lengkap, mudah dimengerti oleh siapa saja;

    5) Auditor juga perlu membuat narasi atas bagan dari proses bisnis yang sudah dipetakan. Isi narasi dari proses bisnis ini tergantung pada pertimbangan auditor. Jika auditor merasa perlu untuk menceritakan, menjelaskan proses bisnis yang dipetakannya secara jelas, lengkap, maka auditor dapat menyusun narasi tersebut dengan menggambarkan proses bisnisnya dengan lengkap. Tapi, jika auditor memiliki pertimbangan lain, demi penyederhanaan, maka narasi proses bisnis tersebut dapat disusun sesingkat mungkin, tanpa perlu menerangkan proses bisnis secara terperinci (hingga ke praktek teknis dilapangan. Namun apapun bentuk narasi yang diinginkan oleh auditor, auditor perlu menggambarkan proses akuntasi (jurnal akuntansi) untuk aktifitas tersebut secara terperinci. Hal ini juga sebagai analisa awal apakah proses pencatatan atas transaksi pada proses yang bersangkutan sudah dilakukan dengan benar atau tidak. Hal ini juga sebagai masukan awal bagi auditor terhadap kebenaran penyajian data pada laporan keuangan perusahaan;

    6) Dalam penggambaran proses ini, auditor perlu mendokumentasikan seluruh proses yang dilakukan oleh auditor dalam memetakan proses dan kontrol yang dilaksanakan oleh manajemen serta dokumen yang digunakan pada masing-masing proses atau kontrol tersebut sebagai bukti proses dokumentasi proses bisnis yang dilakukan oleh auditor sebagai bagian dari proses pelaksanaan audit SOX 404. Hal ini diperlukan untuk evaluasi berkelanjutan atas pelaksanaan pemeriksaan internal kontrol berdasarkan metodologi SOX, sehingga mutu dari pelaksaannya dapat diperbaiki seiring dengan perkembagangan waktu. Lampiran berikut adalah contoh dari dokumentasi atas proses yang dilakukan oleh auditor – dokumentasi pendahuluan (walkthrough documentation);

    7) Dari proses bisnis yang digambarkan oleh auditor, auditor harus mendeskripsikan kontrol yang berhubungan dengan masing-masing proses yang dilaksanakan oleh manajemen bersangkutan dan mencocokkan kontrol tersebut dengan panduan kontrol (key control) yang dimiliki perusahaan. Panduan kontrol ini dapat dibentuk oleh departemen internal kontrol sesuai dengan kebutuhan dan kompleksitas perusahaan namun tetap mengacu pada kebutuhan untuk memenuhi permintaan SOX seksi 404. Di bawa ini adalah contoh panduan kontrol dalam proses audit persediaan; (double click icon excel bila table tidak terlihat)

    Panduan Kontrol Atribut Kontrol
    M A Y
    1.      Penerimaan bahan baku langsung hanya dapat dilakukan jika terdapat dokumen atau order pembelian yang sudah diotorisasi. (Keterjadian)
    2.      Perhitungan fisik persediaan dilakukan secara periodic oleh pihak independent, dimana hasilnya harus direkonsiliasi dengan buku umum (general ledger). Jika terdapat penyesuaian terhadap persediaan, maka penyesuaian itu harus ditinjau dan disetuji oleh pihak yang berwenang (Keberadaan) Ö Ö
    3.      Semua penghapusan persediaan harus ditinjau dan disetujui oleh pihak yang berwenang Ö
    4.      Jika ada, rekonsiliasi antara buku besar persediaan dengan buku umum (general ledger) disiapkan secara periodic dan disetujui oleh pihak yang berwenang [Kelengkapan] Ö Ö
    5.      Persediaan disimpan di lokasi yang aman dan dapat dipantau (Keberadaan) Ö
    6.      Akses ke dalam sistem informasi dibatasi hanya kepada pihak yang berkepentingan saja (Pembagian tugas dan tanggung-jawab) Ö Ö

    Catatan: M: Kontrol utama, K: Kontrol, Y: kontrol yang aktifitasnya terjadi secara tahunan

    8) Kontrol yang sudah dideskripsikan dan dipetakan oleh auditor dan yang sudah dicocokkan dengan panduan kontrol yang dimiliki auditor sebaiknya dikumpulkan dalam satu data base atau kertas kerja (jika perusahaan belum memiliki data base kontrol keuangan);

    9) Sesuai dengan kontrol yang sudah dipetakan oleh auditor dan panduan kontrol yang dimiliki auditor, auditor harus membuat rencana testing (testing plan) untuk menguji keberadaan kontrol tersebut (apakah kontrol tersebut sudah benar-benar dilaksanakan, sudah konsisten dan sudah tepat guna).

    10) Dalam rencana pengujian itu harus ditentukan besarnya sampel dokumen yang dibutuhkan. Besarnya sampel ini berdasarkan pertimbangan auditor di mana harus mempertimbangkan frekwensi dari keterjadian kontrol atas kegiatan bisnis yang sedang dievaluasi. Sebaiknya departemen internal kontrol sudah memiliki standard atas jumlah sampel yang dibutuhkan untuk masing-masing tingkat keterjadian kontrol (transaksi). Jenis kontrol atas transaksi ini dapat digolongkan ke dalam kontrol transaksi harian (daily transaction), kontrol transaksi mingguan (weekly), kontrol transaksi bulanan (monthly), kontrol transaksi kuartalan, kontrol transaksi tahunan. Berikut ini adalah contoh penggolongan keterjadian kontrol atas transaksi dan jumlah dokumen sampel yang dibutuhkan untuk pengujian.

    Tingkat Keterjadian Kontrol Kontrol Utama (Major Key Control) Kontrol (Key Control)
    Terjadi berkali-kali dalam sehari 50 25
    Terjadi setiap hari 30 15
    Terjadi setiap minggu (weekly) 20 10
    Terjadi setiap bulan (monthly) 6 3
    Terjadi setiap kuartal (quarterly) 2 2
    Terjadi setiap tahun (yearly) 1

    11)  Alur proses bisnis (bagan dan narasi), dokumentasi kontrol, rencana testing harus disetujui oleh manajemen yang terkait dengan proses bisnis yang ditinjau (review). Hal ini digunakan sebagai bukti bahwa manajemen bersangkutan sudah menyetujui dan mengesahkan proses dan kontrol yang digambarkan auditor, serta bukti persetujuan dari manajemen untuk melakukan pengujian atas kontrol yang sudah mereka jalankan atas proses bisnis yang menjadi tanggung-jawab mereka.

    Lampiran berikut adalah contoh lengkap dokumentasi kontrol yang disusun auditor atas kontrol yang sudah dijalankan oleh manajemen dan kecocokannya dengan panduan kontrol yang ada serta rencana pengujian yang akan dilakukan oleh auditor;

    3. Tahap Pengujian

    a) Tujuan dari pengujian kontrol atas laporan keungan adalah untuk menyediakan bukti atas efektifitas kontrol serta untuk mendukung pendapat auditor atas penilaian manajemen terhadap internal kontrol atas laporan keuangan perusahaan.

    b) Untuk menggambarkan pendapatnya auditor mengenai efektifitas internal kontrol perusahaan atas laporan keuangannya, auditor harus menyertakan bukti bahwa internal kontrol atas laporan keuangan perusahaan sudah berjalan secara efektif untuk periode waktu tertetntu (biasanya untuk satu tahun)

    c) Sebelum memberikan pendapat atas efektifitas internal kontrol perusahaan atas laporan keuangannya, maka auditor harus melakukan pengujian atas kontrol tersebut. Tujuan utama dari pengujian ini adalah untuk mengukur resiko dari masing-masing kontrol dan meyakinkan bahwa kontrol yang sudah dirancang oleh manajemen dilaksanakan secara benar, efektif, dan konsisten. Untuk itu, auditor harus menyertakan bukti yang relevan terhadap kontrol yang diuji selama periode pemeriksaan.

    d) Auditor melakukan pengujian kontrol berdasarkan dokumen-dokumen yang sudah diambil auditor berdasarkan rencana pengujian yang sudah ditetapkan auditor dan yang sudah disetujui oleh manajemen terkait. Auditor sebaiknya mempunyai standard, atau ketentuan untuk menyatakan apakah kontrol tersebut efektif atau tidak. Standard ini dapat disusun oleh auditor berdasarkan pertimbangan profesionalnya, kompleksitas aktifitas bisnis, dan lain sebagainya. Misalnya untuk transaksi harian, maka auditor menentukan dari sejumlah dokumen yang diuji jika ditemukan 2 dokumen yang tidak sesuai dengan kontrol yang dijalankan manajemen dan divalidasi manajemen pada saat penggambaran proses dan kontrol, maka auditor dapat menyimpulkan bahwa kontrol atas transaksi tersebut gagal (failed atau), atau disebut penyimpangan kontrol (control deficiency).

    e) Berdasarkan standard/pedoman yang sudah disusun oleh auditor, maka auditor dapat memberikan pendapat apakah kontrol yang disusun dan dijalankan oleh manajemen sudah berjalan dengan baik, efektif, dan konsisten. Ketidakcukupan kontrol, ketidakefektifan kontrol, dan ketidakkonsistenan kontrol dapat membawa auditor ke dalam kesimpulan bahwa kontrol yang dilaksanakan manajemen perusahaan atas laporan keuangannya tidak efektif karena terdapat defisiensi atas kontrol tersebut. Jika hal ini terjadi, maka auditor harus menentukan efek dari defisiensi kontrol yang ada, waktu, dan prosedur substantif yang akan dilakukan untuk mengurangi resiko atas salah saji material pada laporan keuangan hingga ke level terendah. Defisiensi kontrol akan signifikan jika keterjadian defisiensi tersebut disadari lebih dari sekedar pemicu atas salah saji material pada laporan keuangan. Dampak dari defisiensi kontrol inipun perlu dievaluasi secara terpisah dan secara menyeluruh terhadap salah saji pada laporan keuangan perusahaan

    f) Auditor harus menyampaikan hasil pengujian kontrolnya kepada manajemen sesegera mungkin. Hal ini bertujuan untuk memberikan waktu cukup bagi manajemen untuk memperbaiki pelaksanaan kontrol, jika terjadi defisiensi kontrol, sehingga pada saat pengujian kembali (remediation), auditor tidak lagi menemukan adanya penyimpangan kontrol (open issue). Dari sisi kertas kerja (working paper), sebaiknya departemen internal kontrol memiliki standard supaya seluruh auditor yang mereview proses kontrol dengan metodologi SOX untuk masing-masing siklus (mis: siklus persediaan, aktiva tetap, pembelian) menyajikan kertas kerja dengan bentuk yang seragam;

    4. Tahap Perbaikan (Remediation)

    a) Tujuan dari tahap perbaikan ini adalah untuk memberikan kesempatan kepada manajemen memperbaiki penyimpangan kontrol yang ada;

    b) Untuk itu, auditor perlu mengkomunikasikan hasil pengujiannya kepada manajemen dan mengembangkan rencana perbaikan (penentuan batas waktu perbaikan). Untuk penentuan batas waktu perbaikan kontrol, sebaiknya departemen internal kontrol memiliki pedoman baku yang dapat digunakan seluruh internal kontrol/auditor pada saat melakukan review SOX. Misalnya untuk penyimpangan atas kontrol untuk transaksi yang terjadi secara harian ditentukan lama perbaikan adalah 1 bulan. Penentuan ini dapat dilakukan atas pertimbangan auditor sesuai dengan kondisi perusahaan;

    c) Pada tahap perbaikan ini, auditor perlu mengingatkan manajemen terkait untuk melaksanakan kontrolnya secara benar, konsisten, dan dampaknya jika kontrol tersebut tidak dilaksanakan secara benar dan konsisten terhadap laporan keuangan perusahaan;

    5. Tahap Pengujian Kembali

    a) Setelah melalui masa perbaikan, auditor harus menguji kembali kontrol yang ada melalui contoh dokumen (sampel) untuk memastikan bahwa manajemen sudah melakukan perbaikan atas pelaksanaan kontrol yang ada;

    b) Jumlah dokumen (jumlah sampel) yang akan diuji tidak sama dengan jumlah sampel seperti pada waktu auditor melakukan pengujian sebelumnya

    c) Departemen internal kontrol/audit harus menentukan standard terhadap besarnya jumlah sampel yang diperlukan untuk tahap pengujian kembali ini. Jumlah sampel didasarkan atas pertimbangan auditor terhadap kondisi perusahaan (jumlah transaksi, kompleksitas perusahaan)

    d) Auditor harus menyiapkan kertas kerja terpisah untuk tahap pengujian kembali

    e) Jika dari hasil pengujian kembali ini, auditor menemukan bahwa pelaksanaan kontrol sudah diperbaiki dan dilakukan secara konsisten, maka auditor dapat menyimpulkan bahwa internal kontrol atas aktifitas tersebut sudah berjalan dengan baik (isu yang ada bisa ditutup). Tetapi jika dari hasil pengujian kembali tersebut auditor menemukan bahwa manajemen masih melaksanakan kontrol tersebut dengan tidak konsisten, maka auditor dapat menyimpulkan bahwa pelaksanaan kontrol untuk aktifitas tersebut tidak berjalan dengan baik. Hal ini sering dianggap sebagai issue yang masih belum terpecahkan (open issue). Apapun hasil dan kesimpulan auditor terhadap pelaksanaan internal kontrol atas aktifitas yang dievaluasinya harus dilaporkan kepada manajemen perusahaan, Top Manajemen (Direktrur Internal Kontrol, Direktur Keuangan, dan Direktur Utama perusahaan).

    6. Tahap Pelaporan

    Hasil evaluasi auditor sebaiknya didokumentasikan ke dalam data base manajemen pengendalian keuangan (Financial Control Management). Atau jika perusahaan masih belum memilikinya, manajemen bisa membuat laporan tersebut ke dalam bentuk manual (format excel).

    Top manajemen akan mereview hasil pengujian kontrol yang dilakukan oleh Departemen Internal Kontrol, menyetujuinya dan menyampaikannya kepada Komisi pasar bursa (Stock Exchange Commission). Sebelum menyampaikan hasil evaluasi kepada top manajemen, departemen internal kontrol biasanya menyampaikan hasil evaluasinya kepada auditor eksternal untuk mendapatkan persetujuan atau menyampaikan kesimpulan atas pelaksanaa internal kontrol di perusahaan. Berikut ini adalah contoh laporan/kertas kerja pelaporan atas hasil pemeriksaan internal control/auditor terhadap efektifitas internal control yang dilakukan manajemen atas laporan keuangannya (khusus untuk seksi 404)

    Demikianlah panduan praktis ini kami susun. Kami berharap semoga panduan praktis ini bisa bermanfaat bagi berbagai kalangan. Kami menyadari bahwa panduan praktis ini masih jauh dari sempurna, untuk itu kami sangat berharap atas masukannya demi penyempurnaan panduan ini ke depannya. Seperti tujuan kami, kami ingin membagikan ilmu pengetahuan di bidan bisnis dan ekonomi kepada seluruh lapisan masyarakat, demi perkembangan dan kemajuan bangsa.

    Daftar Bacaan

    1. Sarbanes-Oxely Act seksi 404
    2. Standard Audit no 2 oleh PCAOB (Public Company Accounting Oversight Board)
    « Laman SebelumnyaLaman Berikutnya »

    Buat situs web atau blog gratis di